chore: remove root-level cruft and harden .gitignore

[jeremyeder]

Summary

• Remove 34 tracked files (27,392 lines) of accumulated development artifacts that don't belong in the repo
• Harden .gitignore to prevent re-introduction
• Fix trailing whitespace and missing newlines caught by pre-commit hooks

What was removed

Path	Reason
.cursor/commands/ (7 files)	IDE-specific config, already gitignored but was tracked before the rule
.specify/ (13 files)	Unused speckit tool artifacts (scripts, templates, memory docs)
Prompts/ (3 files)	Old "vTeam" assessment prompt templates, unused
hack/automated-deployer.yaml	One-off deployer config, superseded by proper manifests
repomix-analysis/ (3 files, 755KB XML)	One-off repo analysis report and heatmap
AMBER_SETUP.md	Dev tool setup guide, not platform code
TESTING_SUMMARY.md	Documents old GHA experiment branch, no longer relevant
package-lock.json	Empty 6-line stub at root (no root-level npm project)

.gitignore additions

• .specify/ — speckit artifacts
• repomix-analysis/, Prompts/, hack/ — experiment/one-off dirs
• .venv* glob (replaces exact .venv match, covers .venv-langfuse etc.)
• *.csv — personal data exports

Whitespace fixes

Pre-push hooks auto-fixed trailing whitespace and missing final newlines in 10 files across frontend, manifests, runner, and docs.

Test plan

• Pre-commit hooks pass
• Pre-push hooks pass
• CI passes (no functional code changes — only deletions and whitespace)

🤖 Generated with Claude Code

[github-actions]

Claude Code Review

Summary

PR #680 is a housekeeping/cleanup change with zero functional code changes. It removes 34 tracked development artifacts (27,392 lines), restructures .gitignore to be project-specific and prevent re-introduction, and applies trailing-whitespace/missing-newline fixes across 10 active files. This is a low-risk, high-value cleanup.

---

Issues by Severity

🚫 Blocker Issues

None.

---

🔴 Critical Issues

None. No functional code paths are modified.

---

🟡 Major Issues

None.

---

🔵 Minor Issues

1. Unanchored .gitignore patterns may be overly broad

Three patterns added to .gitignore are not anchored to the repo root, so they would match any directory with that name anywhere in the tree — including inside subcomponents or future monorepo additions:

hack/           # also matches components/some-pkg/hack/
Prompts/        # also matches docs/Prompts/ etc.
repomix-analysis/

If these are truly root-only artifacts, anchor them with a leading /:

/hack/
/Prompts/
/repomix-analysis/

.specify/ and .cursor/ are IDE/tooling dirs that are reasonable to ignore everywhere, so those are fine unanchored.

2. *.log negation exception is implicit / fragile

# Build artifacts and logs
*.log
!components/**/*.log

The negation works correctly because *.log matches files (not directories), but the intent — "allow tracked log files under components/" — isn't obvious. A brief inline comment explaining why component-level logs might be intentionally committed would prevent a future contributor from simplifying this to a bare *.log and accidentally hiding real log files.

3. .specify/scripts/bash/ deletion removes non-trivial shell scripts without a recorded replacement

The deleted bash scripts (check-prerequisites.sh, create-new-feature.sh, etc.) were part of the speckit workflow. They're no longer needed because the equivalent functionality moved to .claude/commands/speckit.*, but nothing in this PR or the commit message records that migration explicitly. A brief note in BOOKMARKS.md or CLAUDE.md pointing to .claude/commands/ as the current speckit entry point would preserve that context.

This is informational — the code deletion itself is correct.

---

Positive Highlights

• Correct security posture preserved: .gitignore retains strong secret-file exclusion patterns (*.env, minio-credentials-secret.yaml, postgresql-credentials-secret.yaml, unleash-credentials-secret.yaml). No secrets were in the deleted files.
• No auth/RBAC regressions: The whitespace-only changes to page.tsx, settings-section.tsx, and hydrate.sh touch no logic paths. The user-token auth pattern (GetK8sClientsForRequest) is unaffected.
• Pre-commit hygiene enforced: All whitespace fixes are exactly what the pre-commit hooks (trailing-whitespace, end-of-file-fixer) would catch. Good that these are fixed before merge rather than after.
• repomix-analysis/03-architecture-only.xml removal: 21,767-line XML file with embedded repo paths and architecture data should not be tracked. Removing it reduces repo size and avoids accidentally committing analysis artifacts with potentially sensitive directory structures in the future.
• Root package-lock.json stub removal: A 6-line empty package-lock.json at repo root with no corresponding package.json or node_modules was purely confusing noise. Correct to delete.
• .gitignore is now project-specific: The previous .gitignore was a generic Python template (Django stubs, Scrapy, Jupyter, pyenv, Flask instance dirs — none of which apply here). The new version is intentional and readable.
• vendor/ ignored for Go: Correct per Go module best practices; the project uses go mod not vendoring.

---

Recommendations

1. (Minor) Anchor hack/, Prompts/, and repomix-analysis/ with a leading / in .gitignore to limit scope to the repo root.
2. (Informational) Add a comment next to !components/**/*.log explaining the intent, or remove the exception if there are currently no intentionally-tracked log files under components/.
3. (Informational) Consider a one-liner in BOOKMARKS.md noting that speckit workflows now live in .claude/commands/speckit.* rather than .specify/scripts/.

Verdict: Safe to merge. The PR is a well-scoped cleanup with no functional risk. The minor .gitignore anchoring issues are worth a quick follow-up but are not merge blockers.

---

Review generated by Claude Sonnet 4.6 using project standards from .claude/context/ and .claude/patterns/.

---

🔍 View AI decision process (logs available for 90 days)

📋 View memory system files loaded (click to expand)

What Amber Loaded for Code Review

Amber automatically loaded these repository standards from the memory system:

1. CLAUDE.md - Master project instructions, development standards
2. backend-development.md - Go backend, K8s integration patterns
3. frontend-development.md - NextJS, Shadcn UI, React Query patterns
4. security-standards.md - Auth, RBAC, token handling
5. k8s-client-usage.md - User token vs service account patterns
6. error-handling.md - Consistent error patterns
7. react-query-usage.md - Data fetching patterns

Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines.

[github-actions]

Claude Code Review

Summary

Maintenance PR removing 34 tracked development artifacts (27,392 lines) that accumulated in the repo, hardening .gitignore to prevent re-introduction, and applying pre-commit whitespace fixes across 10 functional files. No functional code changes — all substantive modifications are file deletions and whitespace normalization.

Issues by Severity

🚫 Blocker Issues

None.

🔴 Critical Issues

None.

🟡 Major Issues

1. *.csv is an overly broad gitignore pattern

*.csv           # personal data exports

This will silently ignore any CSV test fixtures, seed data, or documentation added in the future. A developer adding e2e/fixtures/test-users.csv would have it quietly untracked with no warning.

Recommendation: Scope it more tightly, e.g.:

# Personal data exports (not fixtures)
*-export.csv
*-report.csv

Or add an exception for known fixture paths:

*.csv
!e2e/fixtures/**/*.csv

2. hack/ and Prompts/ directory patterns are broad

Both are common directory names that could conflict with legitimate future additions. hack/ is a Go convention for tooling scripts that some contributors may want to track. Recommend confirming these are truly never needed in version control, or using more qualified paths (/hack/, /Prompts/).

🔵 Minor Issues

3. !components/**/*.log exception scope

*.log
!components/**/*.log

This exception allows any .log file at any depth under components/ to be tracked — which is very permissive. If the intent is to allow specific test logs, a narrower path would be safer. No immediate harm since there are no .log files in components/ currently, but it's a footgun for the future.

4. node_modules/ and .next/ were missing from the original .gitignore

The PR correctly adds these, but the previous .gitignore only had e2e/node_modules/ — meaning the root node_modules/ and components/frontend/.next/ were unguarded. This is fixed here, but worth noting these should have been present from the start. Confirm there are no latently-tracked .next/ or node_modules/ subtrees hiding in history that this doesn't clean up.

5. repomix-analysis/, Prompts/, hack/ added to .gitignore but not using leading /

Without the leading / anchor, these patterns match any directory named repomix-analysis/ anywhere in the tree, not just at the repo root. This is unlikely to cause issues in practice but is worth being precise:

# Before: matches anywhere
repomix-analysis/

# Better: matches only at repo root
/repomix-analysis/
/Prompts/
/hack/

Positive Highlights

• Well-organized .gitignore — Reorganized with clear section headers (Python, Go, Node/Frontend, IDE/AI) replacing the original template-dump format. Much easier to reason about what's being excluded and why.
• .venv*/ glob — Correctly catches .venv-langfuse and any other variant, replacing the exact .venv match. Good catch.
• .specify/ tracking removed — These speckit artifacts (templates, memory docs, bash scripts) don't belong in the repo. The deletion is clean.
• .cursor/commands/ cleanup — These were tracked before the .cursor/ gitignore rule was added. The PR correctly removes them and prevents re-introduction.
• Pre-commit hooks pass — Whitespace fixes are machine-generated by the pre-commit hooks, not hand-edited, so they're trustworthy.
• vendor/ added — Prevents accidental go mod vendor commits.
• package-lock.json removal — The 6-line stub at root was an artifact with no associated npm project. Correct removal.
• PR description quality — Clear table of what was removed, why, and what test plan was followed.

Recommendations

1. Address *.csv scope — Either narrow the pattern or add explicit exceptions before merge.
2. Consider anchoring the one-off directory patterns — Prefix repomix-analysis/, Prompts/, and hack/ with / in .gitignore.
3. CI gate — The test plan marks CI as unchecked. Since no functional code changed, CI should pass cleanly, but confirm before merging.

Overall this is a solid cleanup PR. The .gitignore hardening and artifact removal are both correct and overdue. The only substantive concerns are the *.csv pattern scope and the non-anchored directory patterns, which are low-risk but worth tightening.

---

🔍 View AI decision process (logs available for 90 days)

📋 View memory system files loaded (click to expand)

What Amber Loaded for Code Review

Amber automatically loaded these repository standards from the memory system:

1. CLAUDE.md - Master project instructions, development standards
2. backend-development.md - Go backend, K8s integration patterns
3. frontend-development.md - NextJS, Shadcn UI, React Query patterns
4. security-standards.md - Auth, RBAC, token handling
5. k8s-client-usage.md - User token vs service account patterns
6. error-handling.md - Consistent error patterns
7. react-query-usage.md - Data fetching patterns

Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines.